Senators Mark Kirk [R-IL] and Kirsten Gillibrand [D-NY] announced a bill that increases the maximum jail time for "obtaining information from a protected computer without authorization" -- which covers anything you do that violates the BS Terms of Service we all break all day long.

If you're in Los Angeles this evening, please join me at a special screening of the documentary about the late Aaron Swartz, "The Internet's Own Boy." The film has been shortlisted for an Academy Award. After the screening, I will host a question and answer session with the film's director, Brian Knappenberger.

Lisa Rein writes, "This year's annual Aaron Swartz Day event is happening Saturday, November 8th at 6pm at the Internet Archive in San Francisco. The reception starts at 6pm, and activities are going on straight through until 10:30 pm."

Laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act put security researchers at risk of felony prosecution for telling you about bugs in the computers you put your trust in, turning the computers that know everything about us and watch everything we do into reservoirs of long-lived pathogens that governments, crooks, cops, voyeurs and creeps can attack us with.

Andrew “weev” Auernheimer is serving a 41-month sentence for visiting a publicly available webpage and revealing that AT&T had not secured its customers' sensitive financial information. Now, weev's lawyers are appealing, and in the opening day's arguments, Assistant US Attorney Glenn Moramarco admitted I don’t even understand what [Auernheimer actually did.]" Then he compared it to blowing up a nuclear power-plant.

The CIA's Inspector General has asked the Justice Department to consider criminally charging CIA agents who spied on a senate committee that was engaged in writing a report that was highly critical of the CIA's use of torture. Senator Mark Udall, who sits on a CIA oversight committee and whose staff was spied on by the CIA alleges that the CIA surveilled overseeing senators and their staff with Obama's knowledge and consent.

In a recent hearing, Senator Ron Wyden asked the CIA director repeatedly whether the Computer Fraud and Abuse Act, America's major anti-hacking statute, applied to the CIA, and whether the CIA spied domestically. CIA director John Brennan replied "yes" and "no," respectively. If Udall's allegations are correct, this means that Brennan lied to Congress (in the second instance) and committed a felony (in the first instance).

The report that caused some CIA agents to spy on their bosses was about how the CIA was wasting time, getting nowhere and doing something illegal and cruel when it kidnapped terror suspects and tortured the shit out of them.

In Matot v. CH, et al, a middle school assistant principal named Adam Matot asked a court to find that two students who'd set up parody social media accounts mocking him had violated the Computer Fraud and Abuse Act, and when the court laughed that out the door, asked the court to find that the students had violated the RICO Act and were engaged in organized crime. Thankfully, the court understood that this was raw sewage disguised as legal theory [PDF] ("Congress did not intend to target the misguided attempts at retribution by juvenile middle school students against an assistant principal in enacting RICO.") and found for the kids. Here's some trenchant analysis from Venkat Balasubramani:

A large group of "security researchers, academics, and lawyers" have signed onto a letter to Congress demanding that lawmakers enact "Aaron's Law," which would reform the antiquated and terrible Computer Fraud and Abuse Act, which US prosecutors claim makes violating online terms of service into a felony punishable by imprisonment. This is the law that was used to persecute Aaron Swartz, who was accused of violating terms of service by automatically downloading academic articles, rather than accessing them one at a time. The federal prosecutor threatened Aaron with 35 years in prison.

Stephen Heymann is the assistant US attorney who made it his mission to see Aaron Swartz sent to prison for violating terms of service by downloading scientific papers with an automatic script, rather than individually, by hand. Heymann spent a lot of time working with MIT on this -- Aaron used MIT's network to allegedly violate the terms of service -- and in his efforts to get MIT to stay involved in the face of public criticism for their cooperation, he compared Aaron to a rapist who blames his victim. Aaron's lawyers have asked the DoJ to investigate Heymann for breaches of professional standards.

Update: Cohn wrote in to add, "The prosecution turned on whether Aaron's access to JSTOR via the MIT network was 'unauthorized' and MIT had tremendous power over which way that decision went in the case. The report acknowledges this but simply repeats MIT's assertion that it didn't actually realize it without criticism or noting how unreasonable (or not believable) this assertion is. The CFAA isn't unknown or unknowable and the folks handling this are in the General Counsel's office. 'Unauthorized access' is the statutory language. And of course MIT's belief that Aaron's access might be unauthorized (as in violation of MIT's policies or maybe JSTOR's) is why they called the police and why he was arrested at their instigation. The idea that after they called the cops they didn't understand what law might have been broken or why their network openness and policies mattered to that determination, such that they never even volunteered the information or asked the prosecution for its theory or more importantly gave information about this to the defense, just isn't believable."

Update: EFF has retracted this post.
The Electronic Frontier Foundation's Trevor Timm explains a disturbing and overlooked fact about the trial of Bradley Manning; the charge-sheet against him included two separate felonies under the Computer Fraud and Abuse Act, an ancient anti-hacking statute that has been used as a club to threaten security researchers and activists like Aaron Swartz. The CFAA makes it a separate offense to leak classified information using a computer, such that anyone caught doing so can be charged twice: first under the Espionage Act and again under the CFAA.

This gives tremendous and terrible leverage to prosecutors, who come to the negotiating table with double the ammo: "We'll drop the CFAA charges if you plead guilty to the Espionage Act charges" (or vice-versa). The reality is that there's nothing special about using a computer to leak documents -- indeed, these days you'd be hard pressed not to use a computer -- now that photocopiers, fax machines, phones, cameras and even the daily paper are all built out of computers.

Several Congresses have failed to modernize the CFAA, because the DoJ has forcefully argued that the ability to threaten people with decades in jail for simply using computers has given them the leverage to force "bad guys" to plead guilty, rather than getting a day in court.

Taren Stinebrickner-Kauffman, Aaron's partner, vigorously disputes the report's findings, calling it a whitewash, pointing out that MIT provided significant aid to the federal prosecutors who chased Aaron over downloading technical aritcles (which he was entitled to see) from its network, but refused to supply the same documents to the defense team, who desperately needed them. This makes MIT's claim of "neutrality" ring false.

Further, Larry Lessig has posted some preliminary thoughts on MIT's position, pointing out that it turned on a question of authorized or unauthorized access, and that the report says MIT never told the prosecutors that Aaron's access was "unauthorized," suggesting that the prosecutors knew they had no case.

When my friend Aaron Swartz committed suicide in January, he'd been the subject of a DoJ press-release stating that the Federal prosecutors who had indicted him were planning on imprisoning him for 25 years for violating the terms of service of a site that hosted academic journals.

Tim Wu's New Yorker piece on Aaron Swartz and the Computer Fraud and Abuse Act explains how Obama could, with one speech, fix the worst problem with the worst law in technology. The CFAA makes it a felony to "exceed your authorization" on a computer system, and fed prosecutors have taken the view that this means that if you violate terms of service, you're a felon, and they can put you in jail. As Wu points out, Obama doesn't need Congress to pass a law to fix this, he could just tell the DoJ that they should stop doing this. There's plenty of precedent, and it would be excellent policy.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over...

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.